Bug 1805135 (CVE-2020-2732) - CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources
Summary: CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to acce...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-2732
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1806816 1806817 1806818 1806819 1806820 1824398 1824399
Blocks: 1805137
TreeView+ depends on / blocked
 
Reported: 2020-02-20 10:49 UTC by Marian Rehak
Modified: 2021-02-16 20:33 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.
Clone Of:
Environment:
Last Closed: 2020-05-12 16:32:14 UTC


Attachments (Terms of Use)
Preliminary patch (2.52 KB, patch)
2020-02-20 10:52 UTC, Marian Rehak
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2172 0 None None None 2020-05-18 01:01:28 UTC
Red Hat Product Errata RHBA-2020:2173 0 None None None 2020-05-18 02:22:18 UTC
Red Hat Product Errata RHBA-2020:2578 0 None None None 2020-06-16 11:55:42 UTC
Red Hat Product Errata RHBA-2020:4416 0 None None None 2020-10-29 15:10:13 UTC
Red Hat Product Errata RHBA-2020:4417 0 None None None 2020-10-29 15:08:44 UTC
Red Hat Product Errata RHBA-2020:4418 0 None None None 2020-10-29 15:14:06 UTC
Red Hat Product Errata RHBA-2020:4419 0 None None None 2020-10-29 15:12:33 UTC
Red Hat Product Errata RHBA-2020:4420 0 None None None 2020-10-29 15:51:28 UTC
Red Hat Product Errata RHSA-2020:2102 0 None None None 2020-05-12 15:27:11 UTC
Red Hat Product Errata RHSA-2020:2171 0 None None None 2020-05-14 19:07:01 UTC
Red Hat Product Errata RHSA-2020:4060 0 None None None 2020-09-29 20:53:25 UTC
Red Hat Product Errata RHSA-2020:4062 0 None None None 2020-09-29 18:59:21 UTC

Description Marian Rehak 2020-02-20 10:49:58 UTC
Under certain circumstances, an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources that are supposed to be inaccessible to the L2 guest according to L1 hypervisor configuration.

Only Intel processors are affected. It requires netsted virtualization to be enabled, ie. kvm-intel.nested=1.

Upstream patch(es):
-------------------
  -> https://www.spinics.net/lists/kvm/msg208259.html
  -> https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec
  -> https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c
  -> https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/02/25/3

Comment 1 Marian Rehak 2020-02-20 10:50:06 UTC
Acknowledgments:

Name: Paolo Bonzini (Red Hat)

Comment 2 Marian Rehak 2020-02-20 10:52:19 UTC
Created attachment 1664312 [details]
Preliminary patch

Comment 3 Prasad J Pandit 2020-02-25 05:18:17 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1806816]

Comment 8 errata-xmlrpc 2020-05-12 15:27:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2102 https://access.redhat.com/errata/RHSA-2020:2102

Comment 9 Product Security DevOps Team 2020-05-12 16:32:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2732

Comment 10 errata-xmlrpc 2020-05-14 19:06:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2171 https://access.redhat.com/errata/RHSA-2020:2171

Comment 11 errata-xmlrpc 2020-09-29 18:59:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062

Comment 12 errata-xmlrpc 2020-09-29 20:53:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060


Note You need to log in before you can comment on or make changes to this bug.